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TLS trends at GCHQ 
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Source of data 

Our TLS events come from our TLS app 

- Runs on special source (approx. 200 x 10G) and 
Comsat data 

-Produces unselected events: about 10 billion Server 
Hellos per week 

Records details about the handshake: IPs, Hello 
messages, Certificate, Key Exchanges 

Events stored for 6 months in our clouds 
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Trends Reports 

We summarise these events to produce weekly 
trends reports, which record: 

-Types of key exchange (RSA/DH/EC) 

- "Top 40" TLS services in use, highlighting new 
services and changes in existing services 

- Details about the crypt (e.g. DH moduli) 

-"Watchlist" to keep an eye on widely-used services 
(Facebook, Gmail, Hotmail, etc) 
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Example: 

#■1 Top Certificates seen by Common Name 



top 40 services 



| common Name | Modulus | valid From | valid until | issuer org | post ion | % of Total | past % | Raw count 



| *.facebook. com 
| a248. e.akamai . net 
| ww.facebook.com 
api.twitter.com 
*. hotmail . com 
urs.microsoft.com 
*. channel . f acebook . com 
s -static. ak.fbcdn. net 
m.facebook. com 
*. data.toolbar.yahoo.com 
login.yahoo.com 
*. icloud. com 
*. google. com 

www. update. mi crosoft.com 
s-static. ak.facebook.com 
api. login. icq.net 
imap.gmail. com 
login. (live, com 
pop3.1ive. com 
twitter. com 

http.mws.mobi le.live. com 
*. aLfbcdn. net 
*.f acebook. com 
*. imap. mail .yahoo. com 
*. itunes. apple. com 
Trust edsourceserver_iMQA01 
www. google, com 
*.whatsapp. net 

games .metaservices. mi crosoft. com 

*. cityville. zynga. com 

*. zynga. com 

*. twitter, com 

*. mail.ru 

contacts. msn. com 

*.53. amazonaws.com 

*. addons. mozi 11a. org 

*.securestudi es.com 

s bOl . cys hei ev . ht i t . pr d . mi yowa . net 

*. castle, zynga. com 

gs-loc. apple. com 

*. calendar. yahoo. com 



| BDAF38FB408B8B337B1D. . . (1024) 
| B40134F190AEBE48066F. . . (1024) 
| B87BD0B4783DF3CB4611. . . (1024) 
D8ABCC 5 0 A9C 3 6 69 6 D9AB . . . (2048) 
956F4C1D7B4904F9CAA6. . . (2048) 
A7182FC26B834C47BFBC. . . (1024) 
C5386D6248B91DE99AD4. . . (1024) 
C8E627515E97A92B68EE. . . (1024) 
D10FC5EBFC66EB82d 938. . . (1024) 
AF227F382DE62FFA4 5 EE. . . (1024) 
B4F12A8383C1D3CD6CCE. . . (1024) 
B9053E899228403B6457. . . (2048) 
A9619B9519B2AF7884A5. . . (1024) 
ACS 63853 D7E933BD71F7. . . (2048) 
AD58EA4811BD7QEDFC21. . . (1024) 
C4B160ABD2BQ25383DF4. . . (2048) 
9AFDA9BEFS573B238052. . . (1024) 
C548D3D383594EAC8B19. . . (2048) 
A906AECB8EB6826C51BE. . . (2048) 
9A21AA93QF4 0AE99EFBD. . . (2048) 
F8B16F57A4 599C6F346F. . . (1024) 
AB42786DB7E5GE2EFEBF. . . (1024) 
AE94B171E2DECCC1693E. . . (1024) 
D4EBE5BEC7F392CC63E2 . . . (2048) 
BE929951748692EDF512. . . (1024) 
OAB6BEB776DCFBBD330B. . . (1024) 
DEB72643A69985CD38A7. . . (1024) 
DA6040129F6D3C9ACB3D. . . (2048) 
C83 0F15AD 5 3CE2 589378. . . (2048) 
D5A3EE989786818E9EC2. . . (2048) 
CF2A2823980A14D70D9F. . . (1024) 
ACBEDF362314AQ1E035E. . . (2048) 
AFD70CA3E329E37B15A6. . . (2048) 
965AlB8QE8B656ClD69E. . . (2048) 
93CD135CD0DBDED5608C. . . (1024) 
B612D697D0571AFE9153. . . (2048) 
DCl 5 91DB0B316C3 9 5 2 6B . . . (2048) 
D78B03FOD9C9E8B94415. . . (2048) 
DA8920606F8929E98631. . . (1024) 
CC785DBDA5E720FE810B. . . (2048) 
C024E5101CA04AA804F7. . . (2048) 



13/01/10 

01/09/11 

17/11/11 

18/05/10 

13/07/11 

16/05/11 

23/11/10 

01/08/11 

29/05/11 

24/06/10 

21 / 12/10 

02/06/11 

08/03/12 

19/04/11 

29/07/11 

30/06/11 

18/11/11 

28/09/11 

24/03/11 

07/07/11 

12/08/10 

13/01/12 

14/07/11 

11/05/11 

23/06/09 

18/02/10 

26/10/11 

31/12/09 

16/05/11 

29/06/11 

01/09/11 

17/07/11 

12/03/12 

12/05/11 

15/12/10 

27/12/10 

02/03/12 

19/04/11 

01/09/11 

04/10/10 

13/03/12 



11/04/13 

31/08/12 

13/07/12 

17/05/12 

12/07/13 

15/05/12 

26/11/13 

01/08/12 

01/06/13 

25/08/13 

03/01/13 

02/08/13 

08/03/13 

18/04/13 

29/07/12 

16/08/17 

18/11/12 

27/09/12 

23/03/13 

27/07/12 

30/09/14 

13/01/13 

13/07/12 

15/05/13 

22/06/14 

01/01/38 

30/09/13 

31/12/12 

15/05/13 

28/06/12 

30/12/13 

17/09/13 

11/05/14 

11/05/13 

18/12/13 

29/12/12 

19/03/13 

20/04/13 

30/12/13 

01 / 10/12 

20/03/13 



DigiCert Inc 
gte corporation 
Verisign Trust Network 
Verisign, inc. 



Digicert inc 

Akamai Technologies Inc 

Equifax 

Equifax 

Digicert inc 

Entrust, Inc. 

Google inc 

Akamai Technologies me 
Verisign, Inc. 

Google Inc 
Verisign, inc. 

Verisign, Inc. 

Verisign Trust Network 
Akamai Technologies Inc 
Verisign Trust Network 
Digicert inc 
Verisign, Inc. 
see 

Thawte Consulting (Pty) Ltd. 
GoDaddy.com, Inc. 

Verisign, Inc. 

Digicert inc 
GeoTrust, inc. 

Thawte, Inc. 

Digicert inc 
GeoTrust, Inc. 
comodo ca Limited 

The USERTRUST Network 
Digicert Inc 
Entrust, inc. 

Digicert inc 



1 (1) 


9.291 (10.205 


2 (2) 


7.695 (7.046) 


3 (3) 


5.096 (5.443) 


4 (4) 


4.440 (4.839) 


5 (5) 


2.728 (2.624) 


6 (6) 


2.656 (2.584) 


7 (7) 


2.242 (2.401) 


8 (10) 


2.180 (1.584) 


9 (14) 


2.046 (1.520) 


10 (11) 


1.737 (1.573) 


11 (17) 


1.719 (1.409) 


12 (9) 


1.714 (1.753) 


13 (12) 


1.478 (1.542) 


14 (15) 


1.296 (1.466) 


15 (18) 


1.252 (1.354) 


16 (35) 


* 1.188 (0.478) 


17 (25) 


* 1.160 (0.659) 


18 (21) 


1.094 (0.960) 


19 (20) 


1.048 (1.024) 


20 (19) 


0.969 (1.128) 


21 (16) 


0.955 (1.450) 


22 (22) 


0.931 (0.907) 


23 (13) 


0.843 (1.525) 


24 (29) 


0.702 (0.584) 


1 25 (23) 


0.688 (0.739) 


1 26 (28) 


0.669 (0.614) 


1 27 (24) 


0.665 (0.738) 


1 28 (27) 


0.627 (0.627) 


29 (26) 


0.606 (0.630) 


30 (37) 


0.583 (0.451) 


31 (33) 


0.569 (0.521) 


32 (30) 


0.554 (0.575) 


33 (42) 


0.530 (0.425) 


34 (34) 


0.514 (0.506) 


35 (38) 


0.509 (0.450) 


36 (31) 


0.492 (0.550) 


37 (82) 


* 0.470 (0.143) 


38 (39) 


0.444 (0.447) 


39 (44) 


0.438 (0.396) 


40 (43) 


0.419 (0.421) 


41 (63) 


* 0.405 (0.205) 




=» 
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» 



968772690 (1127419008) 
802295227 (778458790) 
531368555 (601326037) 
463021773 (534657717) 
284430903 (289947972) 
276995437 (285510909) 
233793675 (265316019) 
227382435 (175019929) 
213407210 (167941977) 
181117743 (173876822) 
179230294 (155713115) 
178784944 (193662902) 
154111639 (170445646) 
135141462 (161960265) 
130543626 (149630545) 
123931507 (52863604) 
120963041 (72889992) 
114133558 (106107395) 
109361276 (113150224) 
101088158 (124647248) 
99534353 (160275556) 
97155933 (100210124) 
87967311 (168474280) 
73246541 (64522656) 
71781445 (81745924) 
69784882 (67857652) 
69403948 (81563480) 
65465951 (69350595) 
63213853 (69606626) 
60885889 (49891238) 
59409296 (57599432) 
57778165 (63623577) 
55267751 (46962081') 
53694286 (55968833) 
53084116 (49720339) 
51395280 (60762021) 
49056755 (15851007) 
46338349 (49394988) 
45721029 (43761752) 
43766504 (46590125) 
42323610 (22677002) 



TS//SI//REL 



TS//SI//REL 



Trends Reports: Findings 

RSA:DH:EC ratio roughly constant (90:5:5) 

_ EC almost entirely Google (plus a bit of whatsapp) 

New certificates mostly use 2048-bit RSA keys 

We've seen new services jump up the list: 

-Summer 2011: Google’s switch to Elliptic Curves 

-Autumn 2011: Apple's iCIoud service 

-Spring 2012: Increase in mobile Facebook encryption 
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TLS and targets 

Trends reports not based on targeted data 

How do we judge interest in TLS services, 
and get analysts involved? Two ways 
we've tried: 

-Associate TLS events with targets, and inform 
the relevant analysts (TargeTLS) 

- Put TLS data out there for analysts to search 
(FLYING PIG) 
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TargeTLS reports 

BROAD OAK: GCHQ's repository of target info 

We match TLS events against this: 

- Is the server IP in BROAD OAK? 

- Does the certificate's domain match a URL selector, 
or a number of email selectors? 

Email the relevant POC to ask if the traffic is of 
interest 

About 15% of the services we've identified in 
this way have been worth looking into further 



TS//SI//REL 
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FLYING PIG 

TLS knowledge base. Summarises all 
TLS events to answer multiple 
questions, e.g.: 

-What certificates are present on a given 
IP? 

-Which client IPs access a given service? 

-Which TDIs can be associated with a 
given service? 
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Example: search by domain 



FLYING PIG 

TLS/SSL Knowledge Base 






HRA Justification Query FLYING PIG - general SSL toolkit Query QUICK ANT - Tor events QFD 



Prototype owner: I 



Query FLYING PIG 

IP / network / certificate field |%mail.m I 

Query as: Q Client IP Q Server IP Q Both 
or: O Network [e.g. 1.2.3.0/24] 

or: ® Server Certificate [e.g. %example,conn (use % for wildcards)] 
Run Query! 

[Certificate field search: <Vbmail.rul 
All HTTP requests matching your query ( ■' ) 



Server certificate fields to search within: 

Subject common name 
Subject organisation name 
Issuer common name 
Issuer organisation name 
RSA modulus 



1 - 5 of 500 items 




10 1 25 1 50 1 100 






12 3 


4 5 6 7 ► H h 


Server IP 


Host name 




First seen 


Last seen 


Count w/e 
25th Nov 


Count all time 


,184.105 


swa.mail.ru 




2011-10-13 16:05:53.0 


2011-11-25 21:11:59.0 


6085663 


42640739 


.184.104 


swa.mail.ru 




2011-10-13 17:29:13.0 


2011-11-25 21:11:55.0 


6073183 


36825411 


.134.201 


fc.ef.d4.cf.bd.al.top.mail.ru 




2011-10-13 21:43:10.0 


2011-11-25 21:10:49.0 


4049743 


19360920 


.135.13 


top5.mail.ru 




2011-10-14 20:00:00.0 


2011-11-25 21:12:05.0 


3006868 


14168963 


,135.12 


top3.mail.ru 




2011-10-14 20:00:00.0 


2011-11-25 21:10:48.0 


2480950 


12386999 



All certificates matching your query ( ? , ) 


Tip 1: Right click on a row to find all server IPs that serve that certificate! 
Tip 2: Click on the disk icon in the title bar to download data in CSV format! 


















Tip 3: Double-click on a field to enable copy and paste! 






















Tip 4: Change displayed columns ('Basic' is default; 'Advanced' adds RSA Modulus and cipher suite distribution columns): 


Basic columns Advanced columns 


































1 - 10 of 70 items 








10 | 25 1 


50 1 100 










12 3 


4 5 6 7 ► 


►i ♦ 


Full First seen 

Certificate 


Last seen 


Count 
w/e 
25 th 
Nov 


Count all 
time 


Valid from 


Valid to 


Subject common 
name 


Subject 

country 


Subject org 
name 


Issuer common 
name 


Issuer 

country 


Issuer org 
name 


Self 

signe 


308203CD3082I201 1-09-22 
13:17:32 


2011-11-25 

19:01:59 


2952729 


16638958 2011-01-31 
00:00:00 


2012-03-27 

23:59:59 


* .mail.ru 


ru 


lie mail.ru 


thawte ssl ca 


us 


thawte, inc. 


IN 


3082036 13082C2Q 11-09-22 
14:05:50 


2011-11-25 

18:58:32 


249926 


1085232 


2010-01-21 

00:00:00 


2011-02-20 

23:59:59 


*. mail.ru 


ru 


lie mail.ru 


thawte premium 
server ca 


za 


thawte 
consulting cc 


N 


308203D33082C20 11-10-07 
20:29:55 


2011-11-25 

18:53:40 


10059 


30520 


2011-09-25 

00:00:00 


2013-11-23 

23:59:59 


*. money .mail.ru 


ru 


lie mail.ru 


thawte ssl ca 


us 


thawte, inc. 


N 


3082035 13082C20 11-09-23 
17:01:58 


2011-11-25 

15:40:05 


976 


8517 


2010-01-25 

15:42:05 


2012-01-27 

18:12:59 


mail.ru.is 


is 


mail.ru.is 




us 


equifax 


N 


308202C83082I201 1-08-22 
08:14:21 


2011-09-06 

06:15:36 


0 


1482 


2011-03-04 

06:42:12 


2012-03-03 

06:42:12 


mail.ru-sib.ru 


us 




mail.ru-sib.ru 


us 




Y 


308204383082C201 1-1 0-17 
14:09:52 


2011-11-25 

18:50:10 


22 


1236 


2011-05-27 

00:00:00 


2012-07-25 

23:59:59 


mail.ru-com.ru 




mail.ru-com.ru thawte dv ssl ca 


us 


thawte, inc. 


N 


308203C43082C201 1-1 0-08 
00:05:24 


2011-11-25 

17:04:02 


301 


1150 


2010-02-13 

14:19:06 


2012-11-08 

14:19:06 


mxl.shogo-nnail.ru 


ru 


shogo 


shogo.ru 


ru 


shogo 


N 


308204 153082C201 1-1 1-01 
07:36:53 


2011-11-25 

14:26:29 


246 


693 


2011-09-15 

11:47:51 


2012-09-14 

11:47:51 


limos.mail.ru 


ru 




isp.cegedim.fr 


fr 


cegedim 


N 


308202E43082C201 1-1 0-14 
18:20:34 


2011-11-21 

05:13:34 


201 


306 


2011-10-05 

08:07:34 


2014-10-04 

08:07:34 


moder.foto.mail.ru 


ru 


mail.ru 


moder.foto.mail.ru 


ru 


mail.ru 


Y 


308204153Q82C20 11-10-31 
14:14:12 


2011-11-25 

15:45:50 


99 


259 


2011-09-15 

11:47:51 


2012-09-14 

11:47:51 


auth.mail.ru 


ru 




isp.cegedim.fr 


fr 


cegedim 


N 



Server IPs ( ? |_ ): 



Tip 1: Right click on a server IP to 
explore it further! 



1 - 25 of 500 
items 

Server IP 



12 3 4 
5 6 7 ► w 

Cert Cert 

count count all 

w/e time 

25th 
Nov 



1 p* 1 * 




Tjcmn 1 


H Explore this server IP further! 


.177.1 


333592 


1052618 


.191.213 


330212 


1388617 


,184,16 


308599 


2496916 


,184.17 


297282 


2226133 


.184.15 


294437 


2395012 


.189.160 


168414 


659037 


.184.77 


120533 


560336 


,184,74 


113555 


515169 


,184,75 


112574 


538512 


.184.76 


110325 


690098 


.135.55 


3779 


6023 


,135.56 


3740 


7358 


.134,151 


3564 


8498 


.63.121 


2532 


4887 


.136.43 


2523 


9226 


.134,98 


2360 


9165 


,179,89 


2227 


7600 


.179.90 


2051 


7320 


.136.84 


1981 


8442 
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Example: search by server 



FLYING PIG 

TLS/SSL KNOWLEDGE BASE 






i n 



HRA Justification Query FLYING PIG - general SSL toolkit Query quick ant - Tor events QFD 

Query FLYING PIG 

IP / network } certificate field _ ,184,14 

Query as: O Client IP eg) Server IP Q Both 
or: O Network [e,g. 1.2.3.0/24] 

or: O Server Certificate [e.g. %example,com (use % for wildcards)] 



Prototype owner: 



Run Query! 

Icertifi cate field search: %mail.ru| O IServerlP?. 184.141 



General IP info 
Top 10 SSL client geos 
Top 10 SSL server ports 
Top 10 SSL case notations 
SSL Traffic stats 



Server IP-specific panels 



SSL Server certificates seen on this IF ^ 
SSL Pattern of life [7] 

HTTP requests to this IP [7] 

Top 100 SSL clients 0 



General IP info for server IP 



184.14 



Geolocation ( ? ): WHOIS info f ? ): 

Country: RU (M) Network: - 176.0/20, Network type: No results. 

City: MOSCOW (L) Company: Mail.Ru. Domain: mail.ru. 



ASinfo(?): DNS ( ? ): 

Advertised by AS: 47764, Found within network: No results 

76.0/20. 

AS name: MAILRU-AS Limited liability company Mail.Ru. 



Tor node ( ? ): 

No matches 



Top 10 SSL client geos (?) 



Top 10 SSL server ports f ? ) 



Top 10 SSL case notations (?) 



SSL Traffic: stats f? ): 



Overall 



Paired (approximate) 




□ 



For week ending 2011-12-23: 

No. unique clients = 104317. 

% client-server IPs with traffic seen in both directions = 14.7*Vi>, 



200,000 




[Unique clients with client-server ^Unique clients with server-client Unique clients with 
traffic only traffic only bidirectional traffic 



SSL Certificates seen on this IP ( ? ) 



Tip 1: Right click on a certificate to explore it further! 



1 - 3 of 3 items 






10 | 25 | 50 | 100 
















1 


First seen on this IP 


Last seen on this IP 


Count w/ 
Nov 


e 25th Count all time 


Valid from 


Valid to 


Subject 


common name 


Issuer common name 




2011-09-22 13:31:06 


2011-11-25 19:01:47 


357643 


2359179 


2011-01-31 00:00:00 


2012-03-27 23:59:59 


*.mail,ru 






thawte sslca 




2011-08-08 12:23:45 


2011-11-25 07:50:07 


1441 


1447304 


2011-01-31 00:00:00 


2012-03-27 23:59:59 


111 .mail.ru 






thawte ssl ca 




2011-11-16 14:13:03 


2011-11-16 14:13:03 


0 


1 


2011-03-05 18:34:19 


2014-03-05 18:34:19 


* .vkontakte.ru 




go daddy secure certification authority 


Average pattern of life for a client (seeded around SSL events to this server IP) ( ? i ) 


HTTP requests to this IP (top 100) ( ? [^) 


.... g. | 




Apply filtering 




Tip 1: Right click 


nn p coru(=r TP tn pxnlnre it ps an 331 ^en/prl 






























1 - 8 of 233 items 


10 | 25 | 50 | 


100 


1 2 3 4 5 6 


7 ► M 4 


1 - 10 of 226 items 


10 I 25 


1 50 | 


133 




12 3 4 


5 6 7 ► H * 


Correlated event 




Event IP Event 

port 


Percentage 

occurrences 


Server IP 


Hostname requested 






First seen 


Last seen 


Count last 

week 


Count all time 










of event 


,184.14 


e, mail.ru 






2011-10-14 


2011-11-25 


1989215 


13992636 


GET request to top3.mail.ru 






.135.12 80 


28.1 


,184,14 


m.mail.ru 






2011-10-14 


2011-11-25 


89268 


664189 


GET request to top5. mail.ru 






,135.13 80 


15,1 


.184.14 


1.184.14 






2011-10-14 


2011-11-25 


17426 


108536 


GET request to do. cl, bf.al.top, mail.ru 




,134,253 80 


14,2 


.184.14 


auth.mail.ru 






2011-10-14 


2011-11-25 


11738 


70020 


GFT renueqffn mv.mail.ru 






184 40 8n 


13.2 


1 (34 1 4 


tol m ni 1 ni 






oni i _i 4 


oni i _i i_03 


Q 0 0 d_ 





0 
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Contacts 

TLS trends: Crypt Operations 
BULLRUN team 

- g c h q ) 

FLYING PIG: ICTR Network 
Exploitation 

- g c q 
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